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Abstract — In the world of fast-spreading intrusions requires 
advance technologies not only in detection algorithms, but also 
in automated response techniques for preserving the availability 
and integrity of networked computing systems. A new approach 
to automated response is made called the response and recovery 
engine (RRE). The response and recovery engine creates a 
game-theoretic response strategy against opponents in a 
two-player Stackelberg stochastic game. The RRE makes use of 
attack-response trees (ART) to analyze undesired system-level 
security events within host computers and their 
countermeasures. Boolean logic is used to combine lower level 
attack consequences. The RRE also accounts for the 
uncertainties in alert notifications during intrusion detection. 
The RRE then chooses optimal response actions after solving a 
partially observable competitive Markov decision process. It is 
automatically derived from attack-response trees. In order to 
support network-level multi-objective response selection and 
considering possibly conflicting network security properties, 
fuzzy logic theory is used to calculate the network-level security 
metric values, i.e., security levels of the system’s current state 
and probable future states in each stage of the game. In 
particular, inputs to the network-level game-theoretic response 
selection engine, are first given into the fuzzy system that is in 
charge of a nonlinear inference and quantitative ranking of the 
possible actions using its predefined fuzzy rule set. 
Consequently, the optimal network-level response actions are 
chosen through a game theoretic optimization technique. 
Experimental results show that the RRE, using Snort’s alerts 
can protect large number of networks for which attack-response 
trees have more than 500 nodes. 

Index Terms — Intrusion Detection System (IDSes), Attack 
Response Tree (ART), Response and Recovery Engine 
(RRE), Fuzzy Logic, Markov decision processes. 


I. Introduction 

The severity and variety of intrusions on computer 
networks are increasing fast. This is the reason why 
preserving the provision and integrity of networked 
computing systems has turned out to be one of the prime 
necessity. If we divide the incident handling into three wide 
classes then First, there are intrusion prevention methods that 
take actions to prevent occurrence of attacks, for instance, 
network flow encryption to prevent man-in-the-middle 
attacks. Secondly, there are intrusion detection systems 
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(IDSes), Snort is one among the examples, which try to detect 
incorrect, inappropriate, or anomalous network activities. 
These activities could be like, perceiving CrashllS attacks by 
detecting ill-shapen packet payloads. Finally, there exists 
intrusion response techniques those are responsible for taking 
responsive actions based on IDS alerts received, to stop 
attacks before they can cause any sort of damage and to ensure 
safety of the computing environment. 

As far as it is concerned, most researches have 
focused on improving techniques for intrusion prevention and 
detection, and intrusion response usually remains a manual 
process performed by network administrators. These network 
administrators get notified with IDS alerts and then they 
manually respond to the intrusions. This manual response 
process introduces some delay between notification and 
response, which could be easily achieved and exploited by the 
attacker and may significantly increase the damage. And this 
delay cannot be avoided if the response is manual. Therefore, 
to decrease the severity of attack damage resulting from 
delayed response, an automatic i.e. non-manual intrusion 
response is needed that provides quick response to intrusion. 
This simply means there is a requirement of advance 
technologies not only in detection algorithms, but also in 
response techniques and this advancement could be achieved 
by an integration automated response techniques. 

We present an automated cost-sensitive intrusion response 
system called the response and recovery engine (RRE). RRE 
models the security battle between itself and the attacker. It is 
the resemblance of multistep, sequential, hierarchical, non 
zero sum, two-player stochastic game as in where the RRE 
and the attacker are the two opponents. 

In every step of the game, RRE is compounded with a new 
extended attack tree structure, called the attack-response tree 
(ART), and received IDS alerts. These alerts evaluate various 
security properties of the individual host systems within the 
network. 

ARTs give a formal way to describe host system security 
based on possible intrusion and response scenarios for the 
attacker and response engine, respectively. Mainly, ARTs 
enable RRE to consider inherent uncertainties in alerts 
received from IDSes (i.e., false positive rates and false 
negative rates), when it has to estimate the system’s security 
and deciding on response actions. 

Then, the Markov decision processes are used i.e. RRE 
automatically converts the attack response trees into partly 
observable competitive Markov decision processes that are 
solved to find the optimal response action against the attacker, 
that means the maximum discounted accumulative damage 
that the attacker can cause later in the game is minimized. It is 
worthy that despite the mathematical cost minimization in 
RRE that itself requires certain time to complete in practice, 
RRE ’s ultimate objective is to reduce intrusion response costs 
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and the system damages due to occurring attacks compared to 
existing intrusion response solutions. 

This is the game theoretic approach, the RRE adaptively 
adjusts its behavior according to the attacker’s probable 
future reactions, and thus prevents the attacker from causing 
significant damage to the system by taking an intelligently 
chosen sequence of actions. To deal with security issues with 
different granularity, RRE’s two-layered architecture consists 
of local engines, that resides in individual host computers, and 
the global engine, that resides in the response and recovery 
server and takes the decision on global response actions when 
the system is not recoverable by the local engines. 

RRE employs a fuzzy control-based technique that can take 
into account several different specific properties and business 
objective functions simultaneously. The RRE calculates 
quantitative scores of the possible network-level response 
actions using its previously defined fuzzy rule set. The fuzzy 
rule set is defined using fuzzy numbers, and hence, various 
input parameters can take on qualitative values such as high or 
low ranging between 0 to 1; therefore, the real-world 
challenge that accurate well defined values of the involved 
parameters those are not always known, is addressed 
completely. RRE extends the state of the art in intrusion 
response in certain fundamental ways. We demonstrate that 
RRE is computationally efficient for large networks via 
prototyping and experimentation, show that it is practical by 
studying commonly found power grid critical infrastructured 
networks. However, we believe that RRE is widely applicable 
to all types of networks. 


II. Motivation 

For a large network of computer system is deployed in an 
area, there are number of systems. The network is increasing 
in size daily life hence the security of the network is to be 
affected in great manner. IP fragmentation, Simple Mail 
Transfer Protocol (SMTP) mass mailing, DoS attacks, flood 
attacks, spoofing, buffer overflow are some of the attacks that 
occur in the network. The other serious threat in network 
considered is intrusion. The systems are prone to intrusion. 
The need to overcome problem of security maintenance of 
computer networks is one of the motivations 

The main aim is to detect these intrusions and provide an 
appropriate counter-measure actions against ongoing attacks 
that save system damage and provide proper response to the 
intruders. 

Intrusion response usually is considered to be a manual 
processes performed by network administrators who are 
notified by IDS alerts and respond to the intrusions. The 
manual response process introduces some delay between 
notification and response, now this makes the problem persist 
again as the response can be easily exploited by the attacker. 
Genetic algorithm used for IDS were the most efficient 
techniques for intrusion alerts but along with that proper 
automated response was the main motivation. 

RRE is given the preference as it could satisfy all the 
requirements, to be specified we get the technique for 
automated response with the reduction of intrusion response 
cost and intrusion response time. 


III. Purpose 

• There exist many intrusion detection systems those act 
of detecting actions that attempt to compromise the 
confidentiality, integrity or availability of a computer 
resource can be referred as intrusion detection. 

• But these intrusion detection system have certain 
issues to be handled. There is a need to overcome these 
problems. Hence we preferred RRE as it not only 
overcomes all the problems regarding IDS as well as 
focuses on the automated response. 

• In the intrusion detection system, the attacker can be 
found automatically by the IDS alerts but the response is to 
be provided by the manual response process with is based 
on the time constraint, in order to overcome this drawback, 
the intrusion response system is provided with automation. 
So we go for RRE. 

• Unlike other strategies for the response which may 
contain manual methods, RRE implies a game theoretic 
response strategy which clarifies the basic mechanism for 
the automated response. 

• There is also need of scalability for the intrusion 
detection systems and also the response systems. RRE is 
so designed that it can be applied to any global area and the 
security in the manner of prevention, detection and 
response for intrusion are increased. 


IV. SCOPE 

• RRE has wide applicability to all kinds of networks 
this is because of the provision of the solution to every 
possibility which makes the implementation of RRE 
universal. 

• The future work can be extended with the game type 
of war drop game with individual player strategy and Node 
locality verification that is finding the exact location of the 
node by which the user logs to the server in the case of large 
networks. 

• Moreover the verification of attack and the responses 
to the user can be done by using Alert correlation tree and 
Alert verification tree. This will enhance the technique of 
giving optimal response which will lead the response close 
to the accuracy. 

• The implementation of RRE has been done on a very 
basic IDS i.e. the snort IDS, whereas in further 
implementations of high level and more profound IDS with 
more signified algorithms can be done. 


V. PROPOSED SYSTEM 
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Here, we present an automated cost sensitive intrusion 
detection response system called the response and recovery 
engine (RRE) that models the security battle between the 
intruder and itself as a multistep, sequential, hierarchical, non 
zero sum, two player stochastic game. In every step of the 
game, RRE leverages a new extended attack tree structure, 
called the attack-response tree (ART), and received intrusion 
detection system (IDS) alerts to evaluate various security 
properties of the individual host systems i.e. end user, within 
the network. ARTs provide a formal way to describe host 
system security based on probable intrusion and response 
scenarios for the attacker and response engine, respectively. 
Mainly, ARTs enable RRE to consider inherent uncertainties 
in alerts received from IDSes (i.e., false positive and false 
negative rates), when guessing the system’s security and 
deciding on response actions. Then, the RRE automatically 
converts the ARTs into partially observable competitive 
Markov decision processes that are solved to find the optimal 
response action against the attacker, that means the maximum 
discounted accumulative damage that the attacker can cause 
later in the game is minimized. 



VI. ALGORITHMIC SURVEY TO FINALIZE ALGORITHM 
Our engine assigns a game-theoretic response strategy 
against adversaries sculptural as opponents in a very 
two-player Stackelberg random game. The RRE applies ART 
to research unwanted system-level security events among host 
computers and their countermeasures victimize symbolic 
logic to combine lower level attack consequences. In addition 
to, the RRE accounts for uncertainties in intrusion detection 
alert notifications. The RRE then chooses optimum response 
actions by determination a partly evident competitive 
mathematician call method that's automatically derived from 
attack-response trees. To support network-level 
multi-objective response choice and contemplate presumably 
conflicting network security properties, we tend to use 
symbolic logic theory to calculate the network-level security 
metric values, i.e., security levels of the system’s current and 
doubtless future states in every stage of the sport. 


VII. SURVEY OF THE SELECTED ALGORITHM 
Attack Response Tree (ART). To protect a local computing 
asset, its corresponding local engine first tries to figure out 
what are the security properties of the asset have been violated 
as result of an attack, given a received set of alerts. Attack 
trees offer a convenient way to systematically categorize the 
different ways in which an asset can be attacked. Local 
engines make use of a new extended tree (attack) structure, 
called an attack response tree (ART), that makes it possible 1) 
to incorporate possible countermeasure (response) actions 
against attacks, and 2) to consider intrusion detection 
uncertainties due to false positives and negatives in detecting 
successful intrusions, while estimating the current security 
state of the system. 



Node Decomposition in ART 
Attack Response Tree given below, 


Tup event (System's 
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IX. SYSTEM FEATURE 

We provide a high-level architecture of response and 
recovery engine(RRE), It has two types of decision-making 
engines at two different layers, i.e., local and global. 
Moreover, the two layer architecture improves its scalability 
and performance for large scale computer networks, in which 
RRE is supposed to protect a large number of Personal 
computers against malicious attackers. Finally, separation of 
high-level and low-level security issues significantly 
simplifies the accurate design of response engines. At the first 
layer, RRE’s local engines are distributed in host computers. 
Their main inputs consist of intrusion detection system 
(IDSes) alerts and attack response trees(ART). All IDS alerts 
are sent to and stored in the alert database to which each local 
engine subscribes to be notified when any of the alerts related 
to its host computer is received. The internal architecture of 
engines includes two components: the state space generator, 
and the decision engine. Once the inputs has been received, all 
possible cyber security states, which that the host computer 
could be in, are generated. These state space might be 
intractably large; therefore, RRE partially generates the state 
space generator so that the decision making unit can quickly 
make decision on the optimal response action. The decision 
making unit employs a game theoretic algorithm that models 
attacker RRE interaction as a two player game in which each 
player tries to maximize his or her benefit. This implies that, 
once a system is under attack, it is not necessary that 
immediate greedy response decisions are the best choices, as 
they may not guarantee the minimum total accumulative cost 
involved in complete recovery from the attack. 


X. CONCLUSION 

A game-theoretic intrusion detection and response engine, 
called the response and recovery engine, was conferred. We 
modeled the security maintenance of computer networks as a 
Stackelberg random two-player game during which the 
attacker and response engine attempt to maximize their own 
benefits by taking best soul and response actions, 
respectively. Experiments show that response and recovery 
engine (RRE) expeditiously takes appropriate step actions 
against in progress attacks that save system injury and 
intrusion response value compared to existing static and 
dynamic government agency solutions. 
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